53%

We b Ap p
A t ac ks Apps And Identities
U ser /
Initial Targets In 86%
33%
I den ti t y Of Breaches
P hysi ca l 11%

O t her ( VP N ,
3%
P oS , i nf ra .)
Fix vulnerabilities
Stop web attacks
Risk & compliance
 What is the
OWASP Top 10?
Top 10 is a broad consensus on the most
critical web application security flaws

Most are very well known attack vectors that persist

Coverage is a mandatory minimum for some regulatory requirements such as PCI DSS
 WAFs don’t require
WAFs provide coverage
access to source code for OWASP Top 10

Here’s the
or developers

good news. WAFs fix vulnerabilities WAF

WAF offers protection
promptly without Technology against application
maintenance windows
attacks

WAFs can be an
alternative to code review
 Non-API Self-selected use Enterprise use Product integration
users Tech savvy consumers Business partners Business partners
Innovators Distribution partners Product ecosystem
Disruptors Suppliers Tech-savvy consumers

Digital
experience
Mobile Open Web B2B APIs Product
Web
APIs APIs

Internal
API

Enterprise Applications (custom, off-the-shelf, on premise, cloud) Products

77% of web attacks start 3 Billion Credentials were App-layer DDoS has
from botnets reported stolen in 2016 increased by 43%
Traditional WAF: Advanced WAF:

OWASP Top 10 OWASP Top 10 Malicious Bots

SSL/TLS Inspection SSL/TLS Inspection Credential Attacks

Scripting Scripting API Attacks

 APPLICATION PROTECTION

ADVANCED WAF

PROACTIVE APP-LAYER
BOT DEFENSE ENCRYPTION

ANTI-BOT BEHAVIORAL
MOBILE SDK DDOS
Automation

Half of Internet traffic

comes from bots
30% is malicious

web attacks account takeover Vulnerability Scanning

Web Scraping
Denial of Service
 Simple bots
Google
Impersonating Bots

Bots with cookies / JS support

Bots that simulate browsers

target of the same lack mature needs mobile
automated attacks security capabilities specific security
Figure Credit: Verizon 2017 Data Breach Investigations Report
Use Case - Account Takeover
A n ti-b o t
M o b ile S D K
AT O P ro te c tio n

Users
credentials A u th e n tic a tio n P ro te c tio n
Mobile C re d e n tia l E n c ry p tio n

Hacker

Bots D a ta C e n te r In te rc o n n e c t C lo u d

Solution:
Problem: • App-level credential
• Criminals are performing encryption
account takeover by stealing • Anti-bot mobile SDK
account credential via malware • Credential Stuffing protection
• Brute force protection
Benefits:
• Prevent the use of dumped
credential databases (credential
stuffing)
• Prevent the theft of user
credentials (credential
harvesting)
• Protect mobile apps - Identify
and pass only the desired mobile
applications.
 DDoS 101 – The Targets
Volumetric Attacks Attacks on Server
on Bandwidth stack. Low and Slow.

Attacks on RAM. Attacks on crypto

Firewall state tables. capacity. SSL floods.

Attacks on CPU. Targeted Attacks.

IPS Signature Scanning. Bugs and flaws in stack.
© F5 N etw orks, Inc 22
Use Case - DDoS Attacks Problem:
• DDOS attacks are growing, but your
resources are not
• DDoS mitigation time is slow due to
S ilv e rlin e C lo u d S e rv ic e s manual initiation and difficult policy
Users Hacker Bots tuning

D D O S M a n a g e d S e rv ic e

Solution:
Silverline under • Always-on protection with on-premises
Always attack
On hardware
• Mitigate with layered defense strategy and
Communication cloud services
(signaling) • F5 SOC monitoring with portal
O n -P re m is e s
• Protect against all attacks with granular
L a y e r 3 D D O S P ro te c tio n L a y e r 7 D D O S P ro te c tio n
control
• Eliminate time-consuming manual
Core tuning with machine learning

Benefits:
• On-premise hardware acts immediately
DDoS Hybrid Users Advanced
Defender WAF and automatically to mitigate attacks.
• Silverline cloud services minimizes the
O p tio n : c o n s o lid a te in to a s in g le la y e r 3 -7 s o lu tio n
risk of larger attacks crippling your site
or applications
F5 Advanced WAF
Protect against bots, credential attacks, and app-layer DoS
Defend against bots
• Proactive bot defense
A n ti-b o t
M o b ile S D K • Anti-bot mobile SDK
F5 A dvanced W A F
• Client and server monitoring

Users B o t M itig a tio n

credentials
C re d e n tia l P ro te c tio n
Mobile A p p -L a y e r D o S

Prevent Account Takeover

• App-level encryption
Hacker • Mobile app tampering

Bots • Brute Force protection

Key Benefits:
• Protects Web and mobile apps from • Prevent Brute Force attacks that Protect apps from DoS
exploits, bots, theft, app-layer DoS use stolen credentials • Auto-tuning
• Behavioral analytics
• Prevent malware from stealing data • Eliminate time-consuming manual
• Dynamic signatures
and credentials tuning for App-layer DoS protection
 THE CHANGING DYNAMICS
OF APPLICATION SECURITY
Maximizing Value From Your WAF

Web Application Proactive Anti-Bot

Firewall Bot Defense Mobile SDK
Vulnerabilities Automated Mobile
& Exploits Attacks Applications
DataSafe Behavioral API Protocol
Encryption Analytics Security

Credential Low & Slow API

& Data Theft DDoS Vulnerabilities Threat Intelligence Feeds

Credential Threat Device

Stuffing Campaigns ! Identification
 Advanced WAF Anti-Bot
Bot Defense DataSafe Encryption Behavioral DoS Mobile

Standalone BIG-IP Cloud SDK

Solution
Android
VIPRION iSeries VE LTM/GBB/ASM DataSafe
AWS Azure Google
Upgrade Add-on Apple

C lo u d C lo u d L ic e n s in g
E n te rp ris e BYOL P e r-A p p -V E Licensing A d d -o n
M a rk e tp la c e P ro g ra m

Professional Services Fusion

A dvanced W A F A dvanced W A F A dvanced W A F A dvanced W A F
Deployment In s ta lla tio n fo r In s ta lla tio n fo r LaunchP ad In s ta lla tio n fo r
Appdom e

V IP R IO N B IG -IP (U p g ra d e o n ly ) B IG -IP

F5 Silverline F5 M anaged F 5 F ra u d S e rv ic e s
Managed
R u le s fo r
Services W AF M anaged W A F E x p re s s D D o S P ro te c tio n W e b S a fe M o b ile S a fe
AW S W A F

IP C re d e n tia l T h re a t D e v ic e Complementary D D o S H y b rid A c c e s s P o lic y

Threat Intel B IG -IQ
In te llig e n c e S tu ffin g C a m p a ig n s Id e n tific a tio n Solutions D e fe n d e r M anager
 APPDEV INLINE HOST

WAF
(W E B A P P L IC AT IO N F IR E W A L L )
E N T E R P R IS E P R O T E C T IO N
CODING R E G U L AT O R Y C O M P L IA N C E
VA / D A S T IN T E G R AT IO N S
M O S T E F F E C T IV E O W A S P 1 0
V O L U M E T R IC M IT IG AT IO N
RASP
(R u n -tim e A p p lic a tio n S e lf P ro te c tio n )
A P P P R O T E C T IO N IN S TA N C E
P O S T W A F, IP S , ID S
IN S ID E A P P O R S E R V E R
APP LANGUAGE DEPENDENT
U P T O 1 0 % P E R F. R E D U C T IO N

MITIGATE
BUG FIXES IPS BOT PROTECTION

VULNERABILTY SAST DAST IAST

(S TAT IC A P P L IC AT IO N S E C U R IT Y (D Y N A M IC A P P L IC AT IO N S E C U R IT Y (IN T E R A C T IV E A P P L IC AT IO N
ASSESMENT T E S T IN G ) T E S T IN G ) S E C U R IT Y T E S T IN G )

DEVELOPMENT PRODUCTION